5fe0d38c39ab6cb4c20d0a4b333c242aebed12e9a75138fcfe3ce8986ebc3c00

Analysis

max time kernel
142s
max time network
187s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f05479fe223584d78606b3fe3d1f0be_JaffaCakes118.apk
Size

13.0MB
MD5

6f05479fe223584d78606b3fe3d1f0be
SHA1

ca9cfd5226cb563b867235e323cb30daec331ff8
SHA256

5fe0d38c39ab6cb4c20d0a4b333c242aebed12e9a75138fcfe3ce8986ebc3c00
SHA512

2502f468374bade315a8aa2aca0dda9f5218cce2eef09abc733045a8d7bd3a8ec6ceab4e1d524e6b91cd85f4e4e7effc04ac0acf7a6a72f41f5684222e835b8b
SSDEEP

196608:8SOVpt3w7VZxDDAsiR5byIoSDe17SzI51CoRjGuvBa7nZvwUPlZuaSXJi:8pV2Pf4wSDal51CoRj/Q7n/PlZuS

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

cn.it.picliu.fanyu.shuyou:TcmsService

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation cn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	cn.it.picliu.fanyu.shuyou:TcmsService

Makes use of the framework's foreground persistence service 1 TTPs 2 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

Processes:

cn.it.picliu.fanyu.shuyou:TcmsServicecn.it.picliu.fanyu.shuyou:channel

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	cn.it.picliu.fanyu.shuyou:TcmsService
Framework service call	android.app.IActivityManager.setServiceForeground	cn.it.picliu.fanyu.shuyou:channel

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:channelcn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	cn.it.picliu.fanyu.shuyou
Framework service call	android.app.IActivityManager.getRunningAppProcesses	cn.it.picliu.fanyu.shuyou:channel
Framework service call	android.app.IActivityManager.getRunningAppProcesses	cn.it.picliu.fanyu.shuyou:TcmsService

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

cn.it.picliu.fanyu.shuyou:TcmsService

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo cn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	cn.it.picliu.fanyu.shuyou:TcmsService

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	cn.it.picliu.fanyu.shuyou
Framework service call	android.app.IActivityManager.registerReceiver	cn.it.picliu.fanyu.shuyou:TcmsService

Checks if the internet connection is available 1 TTPs 3 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:TcmsServicecn.it.picliu.fanyu.shuyou:channel

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	cn.it.picliu.fanyu.shuyou
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	cn.it.picliu.fanyu.shuyou:TcmsService
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	cn.it.picliu.fanyu.shuyou:channel

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:channelcn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	cn.it.picliu.fanyu.shuyou
Framework API call	javax.crypto.Cipher.doFinal	cn.it.picliu.fanyu.shuyou:channel
Framework API call	javax.crypto.Cipher.doFinal	cn.it.picliu.fanyu.shuyou:TcmsService

cn.it.picliu.fanyu.shuyou
1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4245

getprop ro.product.cpu.abi
2⤵
PID:4422

cn.it.picliu.fanyu.shuyou:channel
1⤵
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4307

cn.it.picliu.fanyu.shuyou:TcmsService
1⤵
- Requests cell location
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4399

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db

Filesize
4KB

MD5
f5ae32aa1d107b065c2b758b7d8cc54e

SHA1
6f4c6201365aab1b4d6c1a1669213db716eaa1c1

SHA256
d96bd17a72f054221436b1e049350c1a11ad752a4e2dda89019394efd248979a

SHA512
35f7148afc30d4766733709af5daafe22c32039f358d2ef24cb9a1462e960141153ae95905b0516a15eb04c6f380445a52c381a0883e8f591f0711f3b7c6a6ea

Download Submit
/data/data/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db-journal

Filesize
512B

MD5
ee07aa9e91c865a74a99c9c0576e26ef

SHA1
38e755c857bd55f7c8ea4e585b9d4cc328f1fabb

SHA256
fcdcd7ebb3eca1a207f9b88421fcd378b3e4e5803a991d99bc2b6eb2d5909413

SHA512
fc11a144887a0cf94ababc4e2a4e0d2c97c4a46bb90482a2448283af49ce9279d910051fcd340a6c7d1fbd9e8d01972e93f5f19b3c39280c975430a5dacda20c

Download Submit
/data/data/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db-shm

Filesize
32KB

MD5
e7e483f847b0e711f68654125e90be81

SHA1
b6a67b28d0525dfa22f2f637c9d6d05e440fdaef

SHA256
23c8e89d9d4b201c39ea7fbae3b86c05763e4696e1553c429ecac3dfa67182ad

SHA512
dfdd0c06ee3706110fa956bdcde91b897704f464b0339c8abf19b67808942bb92aec2b9e192635e873669428240d8c26bd526d60dc203b5ffe9d7ca8190a4126

Download Submit
/data/data/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db-wal

Filesize
48KB

MD5
7095f77fb9cc65d6621364198e1760c7

SHA1
ee541ee12e891c5ff9e59889adef1a99d81d7793

SHA256
81f31b07751df7f6dab91aa2bb703089c4fb0b7cbd81e6cb92dc8b2551c29d3e

SHA512
65e10d03ffc38945d3c0c514865bc7a4f812f251b6990bf95d398bea69f10af345866206a5c89bee461d4ddd4111c93de4acada841137e62c22acc29cd765f30

Download Submit
/data/data/cn.it.picliu.fanyu.shuyou/databases/accs.db

Filesize
4KB

MD5
a673367cfae74db3ebad06d0487c32a8

SHA1
eccdaec0143a0cb8bfc316674f1267ee1a2ae889

SHA256
0db6751cc64b7d3d06d7ddc24df5cf6c17bc38cc688c66a518143d91709a2ee7

SHA512
9ca4f70d0ff235f4620df91b8ae6221e9a89c1141fa7b139c86aaa895e2876e36bc3200c4bc48079aabf5414f11eb38abbd69701f42e896d0cf075a53b4bddd8

Download Submit
/data/data/cn.it.picliu.fanyu.shuyou/databases/accs.db-journal

Filesize
512B

MD5
1529fb2924825c4cc115527ffb80160a

SHA1
c15cef6c757d4e91edb2c64ba4d1db39bbeaadb5

SHA256
7eb65e9d1cea32fe1c24d8171957d2f5b6697ec487f9c14f32d7698d768ba066

SHA512
c51a9ee53ded1e58e0d6ee072bbd1a5bc43fc0ba886c024154901b922123a5cdd326390fb1e776f11cfadaf08b0920cc51924103cf479480ce953831b3e39671

Download Submit
/data/data/cn.it.picliu.fanyu.shuyou/databases/accs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/cn.it.picliu.fanyu.shuyou/databases/accs.db-wal

Filesize
32KB

MD5
989910f088097bb5aa31b62d76a2ce55

SHA1
4ff32c4632a7a1776de429c4a8221425aa7a6183

SHA256
1d15bba65264229e067660068987bc9e6dcbbdc1e4ba1b8f70c4421743f58739

SHA512
2d80c946f083886a9356907819b935638fe8e3b1ead8fabf64168aaf4c9360cad6b03c76de2db44b80537cd7d949c8484809405afa23107c83f6da7881a6e7d8

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
167B

MD5
fb50570fb38132e7d098ff298339a3f7

SHA1
dc363093fec77ee0be013c7dff8ac49ce3bea304

SHA256
1addee95a2063ad82b530fceff17157b32a35e63aea08db9466e3624cbe43b65

SHA512
556cbe746cf9f6a525647dd00ade1000a9b6e98951ac32bf7f3fc13e57a10f1c5eb3640d4d9c9f659c571ccd61851d5fc2b0516943a6774ca98f5353fd25f25c

Download Submit
/storage/emulated/0/Android/data/cn.it.picliu.fanyu.shuyou/files/tnetlogs/inapp_20240524.log

Filesize
544B

MD5
9befb9bd2eaa903792f4d8cfa4abd6b3

SHA1
e1ce5264215186795a19c05763fd339137a5eb92

SHA256
c303d03d5193023e4e0e30f0ee00d0bd9d0cbe2df45d8a5d833e59c7ba8943a2

SHA512
20321a9b023e509d42cb37f8d348f2bac1e3654e67208e8a80ade661f6ef712fac381c0802de6cd3c57a91ca25a4f68fa77821069b0e3f29eaa9c219db4d768a

Download Submit
/storage/emulated/0/crash/crash-2024-05-24-15-44-41-1716565481653.log

Filesize
4KB

MD5
06fdfae5e9ee700d05fcc001a404478f

SHA1
573b6ecb8c84ba0442c125f0e10608903cd37d3d

SHA256
7a9d27f7a9c05ddb2ded1618ce12ec584886d3e865c2fa9cc6858febfafd8eff

SHA512
824ffa8a59bf6a161abd0e3a4b53eeb43e80e6a6325641920da433c41cd85e8d155ac848d4ca4d1acdb93adaf7fe999f1566027dfc552e2ae1fd6bcce08b1945

Download Submit